<ul><li>Chaitin Security Emergency Response Center disclosed a critical remote code execution (RCE) vulnerability in Apusic Application Server (AAS). The vulnerability arises from unsafe Java deserialization in the IIOP protocol, enabling unauthenticated attackers to execute arbitrary code remotely.</li><li>The vulnerability in AAS is triggered by unsafe Java deserialization in processing IIOP requests, allowing attackers to send crafted payloads to achieve remote code execution, potentially leading to full server compromise.</li><li>The risk summary categorizes the vulnerability as high priority, high severity, with potential for remote network access without authentication, and exploit availability through public PoC/exploit. The official patch is available with low fix complexity.</li><li>Affected versions range from Apusic Application Server v10.0 Enterprise Edition SP1 to SP8. Mitigation steps include restricting IIOP port access or disabling the IIOP protocol if not needed. Users are advised to download and install the patched version from the official Apusic site.</li></ul>

0day RCE Vulnerability in Apusic Application Server via IIOP Deserialization

Discover more